If you run a website that handles sensitive information such as email addresses, passwords and more importantly, personal financial information, you should consider converting your site to SSL (Secure Sockets layer, aka TLS) for the peace of mind of both you and your users.
What Is SSL?
Secure Sockets Layer (SSL) is a standard security technology for establishing an encrypted link between a server and a client– typically a web server (website) and a browser, or a mail server and a mail client. A secure website will begin with https and you may have noticed that when you visit a non-https site, a message sometimes appears in your browser, warning you that you are visiting an insecure site.
Last week I secured my new forum with SSL and although there is a small learning curve, the procedure was fairly straightforward. First you need to acquire an SSL certificate from a reputable source, which gives details about the identity of your website and the entity or person that runs it. Once that is confirmed, a cryptographic public and private key are then created allowing you to submit to CSR (Certificate Signing Request) so as to authenticate your details, following which, your certificate is issued. I must confess that this all sounded rather scary to me at first, especially when I discovered that there are many ways to acquire a certificate, both free and paid. In the end I went for a certificate from my hosting company GoDaddy who assisted in the issuance of the certificate, but the rest was up to me and that’s when the learning curve kicked in.
Redirecting To HTTPS
In the end the procedure for redirecting visitors to the HTTPS version of my site was fairly simple and involved nothing more than editing the .htaccess file in the root directory of the website, which is usually the public_html directory. An .htaccess file is a configuration file for use on web servers running the Apache Web Server software and you can find more information on this at Htaccess Guide. This important file is found through your cPanel, ensuring that hidden system files are shown or you’ll never find it.
Not finding an .htaccess file in the root, I created a new file in Notepad++ and copied the following text into it, as advised on the GoDaddy help page:
- RewriteEngine On
- RewriteCond %{HTTPS} off
- RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
I then saved the file as .htaccess ensuring that it wasn’t appended with .txt and that the dot wasn’t missing at the beginning of the file. That one singular dot is crucial, without which you would be in a world of you know what. Following this small task I then uploaded the .htaccess file to the root directory of my website through cPanel and waited for the magic to happen, since I had already been informed by GoDaddy that my certificate had been issued. But the magic didn’t happen and a look-see on whynopadlock.com revealed a hostname mismatch which was quickly remedied with a quick call to a GoDaddy helpline operative, who pulled a few levers on the flux capacitor and the mismatch was corrected.
But I wasn’t out of the woods yet as whynopadlock.com then picked up ‘mixed content‘, which had me scratching my head until I discovered that the mixed content in question was referring to a couple of logo URLs prefixed with http and not https, which I corrected tout suite, ending up with a clean bill of health as shown below.
The end result being that when you visit my forum Argentina Expats, you’ll be reassured by the secure nature of the site and the green padlock at the top left of the address page. It could be said that securing my page with SSL wasn’t absolutely necessary since it’s only an online forum after all. However, members are trusting me with a certain amount of personal information such as their email addresses which I have a duty to protect. It’s also possible that I may wish to give members the chance to donate for the running of the site and many plugins insist on websites being secured with SSL nowadays.
Why Isn’t Everyone Using SSL?
…is a question I’ve been asking myself for a few days now. Since SSL is designed to protect users and the information they provide to websites, why is it that so many major media companies do not secure their websites with SSL? This became abundantly clear when I pasted a BBC news story into my forum hoping that a preview would appear with the story headline text as it had done prior to me going all HTTPS. But this didn’t happen as BBC News is not a secure website. This surprised me until I read this BBC blog from July 2016, with particular emphasis on the cost:
news.bbc.co.uk, will remain HTTP-only. This is due to the cost we’d incur processing tens of millions of old files to rewrite internal links to HTTPS when balanced against the benefit.
The same is true of many news websites, so perhaps there are just too many pages to process, who knows? For my part, securing my website with a nice green padlock does have a few kudos attached, but more than anything, it shows my site visitors that I care about security.
—
Marc…Any video postings on instructions you recommend?
I used Web.com, they want a 10 dollar monthly fee to go to https.
Google wants all sites to be https…soon.
James
Sorry for the delay in replying.
There are loads of videos on YouTube and since I use Godaddy who are now familiar to me, try this:
https://youtu.be/QJ8CkBMIvro
I don’t pay a monthly fee to have my forum secured with SSL, so if I were you I’d shop around. In fact, I paid a one-off fee, renewable every 12 months.
But how can Google enforce https?